Find a Question:

Kaspersky Lab comments on recent WannaCry ransom attacks

May

15

2017

The world has seen the largest wave of ransom attacks on institutions around the world.
Google + LinkedIn Facebook Twitter
The world has seen the largest wave of ransom attacks on institutions around the world. Kaspersky Lab researchers analyzed the data and can confirm that the company’s subsidiary security protection systems have detected at least 45,000 attempts to transmit the infection in 74 countries, mostly in Russia.

Ransom software can infect victims by infiltrating through one of the security vulnerabilities described and installed in Microsoft Security Bulletin MS17-010 . The attack, which used the Eternal Blue device, was discovered through the Shadowbrokers’ activity on 14 April 2017.

Once the attackers are able to penetrate the system, they quickly install rootkit tools that enable them to download the program to encrypt the data. Malicious software encrypts files. The amount of the ransom of US $ 600 is shown in the form of the electronic currency of KFH and the portfolio, and the amount of ransom gradually increases over time.

Kaspersky Lab experts are currently trying to determine whether it is possible to decrypt the closed data as a result of this attack, with the aim of developing a decryption tool as soon as possible.

Kaspersky Lab said its security solutions are detecting malicious code used in this attack by the following trace and monitoring names: Trojan-Ransom.Win32.Scatter.uf, Trojan-Ransom.Win32.Scatter.tr, Trojan-Ransom.Win32.Fury.fr , Trojan-Ransom.Win32.Gen.djd, Trojan-Ransom.Win32.Wanna.b, and Trojan-Ransom.Win32.Wanna.c

There are also trace and monitoring names: Trojan-Ransom.Win32.Wanna.d, Trojan-Ransom.Win32.Wanna.f, Trojan-Ransom.Win32.Zapchast.i, Trojan.Win64.EquationDrug.gen, and Trojan.Win32.Generic ( System Watcher should be activated.

The company’s researchers recommend several measures to reduce the impact of this attack, including the installation of the Microsoft Patch Patch, which blocks the security holes used in the attack, and ensures that security solutions are enabled / operated on all nodes in the network.

If the Kaspersky Lab solution is used, the researchers recommend making sure that it includes the System Watcher, a component that focuses on proactive behavioral detection and also ensures its operation, and the operation of critical area scan in the Kaspersky Lab solution to detect potential infection at the earliest As soon as possible (otherwise they will be automatically detected, if not stopped within 24 hours).

Kaspersky Lab researchers also recommend restarting the system after detecting MEM: Trojan.Win64.EquationDrug.gen, and using Customer-Specific Threat Intelligence Reporting.